A new iteration of the sophisticated cyberespionage tool known as Mandrake has been uncovered in five applications on the Google Play Store, remaining undetected for nearly two years. This revelation comes from research done by cybersecurity firm Kaspersky, which highlighted that these apps had been installed over 32,000 times.
Mandrake, initially identified by Bitdefender in 2020, has a history of avoiding detection and targeting specific victims based on their potential value. The latest version of Mandrake employs advanced obfuscation techniques and evasion methods, making it challenging for security tools to detect.
Hidden in seemingly innocuous apps like a memory training app and an app for those interested in learning about astronomy, Mandrake gathers extensive device data before executing its main malicious functions. These functions include enabling WiFi, initiating remote screencasting, and accessing user credentials. Google has since removed these apps from the Play Store and has enhanced its security measures to limit the access future sophisticated threats such as this may have.
Why It Matters: The discovery of Mandrake’s new and advanced version within the Google Play Store is particularly unsettling, especially given the fact it remained undetected for nearly two years. This revelation reiterates the persistent and evolving nature of cyber threats and highlights that even major technology platforms like Google are not immune to sophisticated attacks. It serves as a stark reminder of the need for relentless vigilance and continual advancements in cybersecurity practices.
- Advanced Evasion Techniques: Mandrake’s latest version uses sophisticated methods like obfuscated native libraries and certificate pinning for command-and-control (C2) communications, making detection difficult for conventional security tools.
- Targeted Data Collection: The malware collects extensive information about the device and its user in stages, starting with basic device data and escalating to remote access and credential theft if the victim is deemed valuable.
- Selective Targeting: Historically, Mandrake avoids low-income and less strategically important regions, focusing on more lucrative targets in developed countries, which reflects its operators’ strategic approach.
- Continuous Evolution: Mandrake’s ability to evolve and bypass new defense mechanisms highlights the sophisticated skills of its operators and the ongoing challenge of securing app marketplaces against advanced cyber threats.
New Mandrake Spyware Found in Google Play Store Apps After Two Years – The Hacker News